Hemantha, NiFi performs a token request. From that response, NiFi gets the ID token which is included from the 'openid' scope that is specified when we invoke the authorization endpoint. NiFi also requests the 'email' scope which NiFi will use as the user identity. We do obtain the expiration from the ID token claimset (not the access token) which we honor in the token that NiFi generates internally.
NiFi will only use the access token to invoke the User endpoint if the email claim is not included in the ID token's claimset. The access token is not saved or persisted by NiFi because we do not need to invoke any other APIs from the identity provider. It's likely that there are some improvements that could be made here. From reading the spec, it appears that the intent of the refresh token is to obtain a new access token. It's not clear whether this process should be used to obtain a new id token. This is something that should be investigated further. You could also check if there is another setting in your identity provider for the ID Token Lifespan. Another option is that NiFi could introduce a new property that allows the admin to configure how long it wants to allow our 'sessions' to last. Matt On Wed, Aug 21, 2019 at 9:49 AM Kumara M S, Hemantha (Nokia - IN/Bangalore) <[email protected]> wrote: > Hi , > > We have configured Nifi cluster and using OpenId Connect(keycloak< > https://www.keycloak.org/>) for user authentication. > In Keycloak, here are some of configuration for token in realm settings > > * SSO Session Idle 30 Minutes > * Access Token Lifespan 1 Minutes > > > The issue is Nifi UI is giving error after every one minute "Session > Expired : Your session has expired. Please press Ok to log in again., and > this one just after : Unknown user with identity 'anonymous'. Contact the > system administrator". Is this due to Nifi is checking session validity > using only access_token? > > From Keycloak documentation > https://www.keycloak.org/docs/latest/server_admin/index.html#_oidc-auth-flows > access_token is short lived for security purpose. Isn't it Nifi should use > refresh-token to check session validity and request new token that will > renew session if required? > > Regards, > Hemantha > >
